spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: RFC 2821 and responsibility for forwarding

2004-12-07 08:04:37
from [Daniel Taylor] [Permanent Link] 
David Woodhouse wrote:

On Tue, 2004-12-07 at 14:01 +0000, Richard Bang wrote:


Open relays were wonderful, but abused, so they are being closed. Simple
cheap forwarding is wonderful, but being abused, so it has to be closed.



No, the forwarding isn't being abused. You're trying to solve the
problem of spammers forging addresses, remember? Forwarding isn't
actually the problem you started with. It's just that forwarding is
indistinguishable from 'forgery' in your proposed solution to the
original problem. 
BING! Give the man a cookie, he begins to get it!

It is the type of forwarding that is indistinguishable from forgery
that is the only type effected by SPF.

If the forwarding host rewrites the MAIL FROM and does any of
a number of methods to ensure that bounces/DSN's get routed
properly then the existence (or lack thereof) of an SPF record
for the originating site is irrelevant.

I personally favor DB-backed forwarding, but SRS, RSR or any of
a large number of other potential solutions are usable.

Database backed forwarding has the advantage of being unspoofable.
It has the disadvantage of being unimplemented yet to my knowledge, but
since I am not running a forwarding mailserver I'm not likely to
implement it myself.



But there are other solutions to the original problem which don't have
this problem with forwarding. Thus, the 'cheap forwarding' of which you
speak does not have to be 'closed'.

If changes _have_ to be made, you'll find that people support them;
witness the fairly widespread support for closing open relays, as you
pointed out. The difference here is that it _isn't_ actually necessary
to break forwarding; there are multiple alternative solutions to the
problem of forgery, which don't break forwarding.


Contrary to your assertion here, I have yet to see a solution
to the forgery problem that combines the utility and usability
of SPF in one solution.  The sorts of hack necessary to prevent
up front forgery while allowing forgery-based forwarding inherently
reduce the usability and transparency of the system.

--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Agenda item: SenderID Position Statement, william(at)elan.net
Next by Date:  Re: Re: RFC 2821 and responsibility for forwarding, David Woodhouse
Previous by Thread:  RE: Re: RFC 2821 and responsibility for forwarding, David Woodhouse
Next by Thread:  Re: Re: RFC 2821 and responsibility for forwarding, David Woodhouse
Indexes:  [Date] [Thread] [Top] [All Lists]